John Mulligan said the company has learned software on another 25 checkout machines continued to steal payment card data three days after Dec. 15, the date by which the discounter had said the malware was removed from its system.

The machines that were still infected after Dec. 15 had been offline when the initial cleaning occurred. Cleaning a heavily infected network, especially while the organization tries to remain operational, must be one of the hardest jobs in computer security. There are just so many nooks and crannies in complex networks for threats to hide.